bin-utils/signer.sh

#!/bin/sh

DIR_ETC=./etc/

HOST_CA_PRIV=${DIR_ETC}private/host/meutel_host_ca
USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
HOST_CONFIG_ROOT=${DIR_ETC}public/host/
USER_CONFIG_ROOT=${DIR_ETC}public/user/

ARGS_COUNT=$#
# public key file
PUBKEY=$1
# certificate type: user/host
TYPE=$2
# config name
NAME=$3
# certificate validity duration
VALIDITY=$4
# principals for user cert
PRINCIPALS=$5
if [ "$ARGS_COUNT" -gt 5 ]
then
  shift 5
  # certificate options
  OPTS=$@
  echo "options: $OPTS"
fi

usage()
{
  echo "signer.sh <pubkey_file> <user|host> <name> <validity> (<principals> <options...>)"
}

check_pubkey()
{
	if [ ! -f $PUBKEY ]; then
		echo "missing public key: $PUBKEY" >&2
    usage
		exit 1
	fi
}

check_ca_key()
{
	CA_PRIV=$1
	if [ ! -f $CA_PRIV ]; then
		echo "missing private CA key: $CA_PRIV" >&2
		exit 2
	fi
}

check_config()
{
	CONFIG_DIR=$1
	if [ ! -d $CONFIG_DIR ]; then
		echo "missing config: $CONFIG_DIR" >&2
		exit 3
	fi
}

user_cert()
{
	check_ca_key $USER_CA_PRIV
	USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
	check_config $USER_CONFIG
	if [ -z "$PRINCIPALS" ]; then
		echo "missing principals" >&2
    usage
		exit 1
	fi
	if [ -z "$VALIDITY" ]; then
		echo "missing validity duration" >&2
    usage
		exit 1
	fi
  if ls $USER_CONFIG/*-cert.pub 2>/dev/null > /dev/null ; then
    SERIAL=$(( $( ls $USER_CONFIG/*-cert.pub | wc -l ) + 1 ))
  else
    SERIAL=1
  fi
  TS=$( date '+%Y%m%d%H%M.%S' )
  CERT_ID="Cert $NAME for $PRINCIPALS generated $TS"
  USER_PUB_KEY="$USER_CONFIG/key-${TS}.pub"
  # copy key
  cp -f "$PUBKEY" "$USER_PUB_KEY"

  echo "Generate user certificate"
  echo "  key: $PUBKEY"
  echo "  serial: $SERIAL"
  echo "  ID: $CERT_ID"
  echo "  principals: $PRINCIPALS"
  echo "  validity: $VALIDITY"
  

	#ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" $OPT_PARAMS -V "$VALIDITY" -z "$SERIAL" "$USER_PUB_KEY"
  # declare -a PARAMS
  # PARAMS=( "-I" "$CERT_ID" "-s" "$USER_CA_PRIV" "-n" "$PRINCIPALS" "-V" "$VALIDITY" "-z" "$SERIAL" "$USER_PUB_KEY" )
  # for opt in "$OPTS"
  # do
    # PARAMS+=( $opt )
  # done
  # echo "${PARAMS[@]}"
  
  # ssh-keygen "${PARAMS[@]}"

	gen_cert 
  if [ "$?" -eq 0 ] ; then
    cp "${USER_PUB_KEY%.pub}-cert.pub" "${PUBKEY%.pub}-cert.pub"
    ssh-keygen -L -f "${PUBKEY%.pub}-cert.pub"
  fi
}

gen_cert()
{
  for opt in $OPTS
  do
    set -- "$@" "-O"
    set -- "$@" "$opt"
  done
  
	ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" -V "$VALIDITY" -z "$SERIAL" $@ "${USER_PUB_KEY}"
}

host_cert()
{
	check_ca_key $HOST_CA_PRIV
	HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
	check_config $HOST_CONFIG
}

if [ "$ARGS_COUNT" -lt 4 ]; then 
  usage
  exit 1
fi
check_pubkey
case $TYPE in
	"user")
		user_cert
		;;
	"host")
		host_cert
		;;
	*)
		echo "unknown certificate type" >&2
    usage
		exit 1
		;;
esac
WIP SSH CA 2024-02-12 05:54:18 +00:00			`#!/bin/sh`

			`DIR_ETC=./etc/`

			`HOST_CA_PRIV=${DIR_ETC}private/host/meutel_host_ca`
			`USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca`
			`HOST_CONFIG_ROOT=${DIR_ETC}public/host/`
			`USER_CONFIG_ROOT=${DIR_ETC}public/user/`

Fix options 2024-02-12 13:32:44 +00:00			`ARGS_COUNT=$#`
WIP user cert 2024-02-12 11:05:40 +00:00			`# public key file`
			`PUBKEY=$1`
			`# certificate type: user/host`
			`TYPE=$2`
			`# config name`
			`NAME=$3`
			`# certificate validity duration`
WIP SSH CA 2024-02-12 05:54:18 +00:00			`VALIDITY=$4`
WIP user cert 2024-02-12 11:05:40 +00:00			`# principals for user cert`
			`PRINCIPALS=$5`
Fix options 2024-02-12 13:32:44 +00:00			`if [ "$ARGS_COUNT" -gt 5 ]`
			`then`
			`shift 5`
			`# certificate options`
			`OPTS=$@`
			`echo "options: $OPTS"`
			`fi`

			`usage()`
			`{`
			`echo "signer.sh <pubkey_file> <user\|host> <name> <validity> (<principals> <options...>)"`
			`}`
WIP user cert 2024-02-12 11:05:40 +00:00
			`check_pubkey()`
			`{`
			`if [ ! -f $PUBKEY ]; then`
			`echo "missing public key: $PUBKEY" >&2`
Fix options 2024-02-12 13:32:44 +00:00			`usage`
			`exit 1`
WIP user cert 2024-02-12 11:05:40 +00:00			`fi`
			`}`
WIP SSH CA 2024-02-12 05:54:18 +00:00
			`check_ca_key()`
			`{`
			`CA_PRIV=$1`
			`if [ ! -f $CA_PRIV ]; then`
			`echo "missing private CA key: $CA_PRIV" >&2`
			`exit 2`
			`fi`
			`}`

			`check_config()`
			`{`
			`CONFIG_DIR=$1`
			`if [ ! -d $CONFIG_DIR ]; then`
			`echo "missing config: $CONFIG_DIR" >&2`
			`exit 3`
			`fi`
			`}`

			`user_cert()`
			`{`
			`check_ca_key $USER_CA_PRIV`
			`USER_CONFIG=${USER_CONFIG_ROOT}${NAME}`
			`check_config $USER_CONFIG`
			`if [ -z "$PRINCIPALS" ]; then`
			`echo "missing principals" >&2`
Fix options 2024-02-12 13:32:44 +00:00			`usage`
			`exit 1`
WIP SSH CA 2024-02-12 05:54:18 +00:00			`fi`
			`if [ -z "$VALIDITY" ]; then`
			`echo "missing validity duration" >&2`
Fix options 2024-02-12 13:32:44 +00:00			`usage`
			`exit 1`
WIP SSH CA 2024-02-12 05:54:18 +00:00			`fi`
WIP user cert 2024-02-12 11:05:40 +00:00			`if ls $USER_CONFIG/*-cert.pub 2>/dev/null > /dev/null ; then`
			`SERIAL=$(( $( ls $USER_CONFIG/*-cert.pub \| wc -l ) + 1 ))`
			`else`
			`SERIAL=1`
			`fi`
			`TS=$( date '+%Y%m%d%H%M.%S' )`
			`CERT_ID="Cert $NAME for $PRINCIPALS generated $TS"`
			`USER_PUB_KEY="$USER_CONFIG/key-${TS}.pub"`
			`# copy key`
			`cp -f "$PUBKEY" "$USER_PUB_KEY"`

			`echo "Generate user certificate"`
			`echo " key: $PUBKEY"`
			`echo " serial: $SERIAL"`
			`echo " ID: $CERT_ID"`
			`echo " principals: $PRINCIPALS"`
			`echo " validity: $VALIDITY"`
Fix options 2024-02-12 13:32:44 +00:00

			`#ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" $OPT_PARAMS -V "$VALIDITY" -z "$SERIAL" "$USER_PUB_KEY"`
			`# declare -a PARAMS`
			`# PARAMS=( "-I" "$CERT_ID" "-s" "$USER_CA_PRIV" "-n" "$PRINCIPALS" "-V" "$VALIDITY" "-z" "$SERIAL" "$USER_PUB_KEY" )`
			`# for opt in "$OPTS"`
			`# do`
			`# PARAMS+=( $opt )`
			`# done`
			`# echo "${PARAMS[@]}"`

			`# ssh-keygen "${PARAMS[@]}"`

			`gen_cert`
			`if [ "$?" -eq 0 ] ; then`
			`cp "${USER_PUB_KEY%.pub}-cert.pub" "${PUBKEY%.pub}-cert.pub"`
			`ssh-keygen -L -f "${PUBKEY%.pub}-cert.pub"`
			`fi`
			`}`
WIP SSH CA 2024-02-12 05:54:18 +00:00
Fix options 2024-02-12 13:32:44 +00:00			`gen_cert()`
			`{`
			`for opt in $OPTS`
			`do`
			`set -- "$@" "-O"`
			`set -- "$@" "$opt"`
			`done`

			`ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" -V "$VALIDITY" -z "$SERIAL" $@ "${USER_PUB_KEY}"`
WIP SSH CA 2024-02-12 05:54:18 +00:00			`}`

			`host_cert()`
			`{`
			`check_ca_key $HOST_CA_PRIV`
			`HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}`
			`check_config $HOST_CONFIG`
			`}`

Fix options 2024-02-12 13:32:44 +00:00			`if [ "$ARGS_COUNT" -lt 4 ]; then`
			`usage`
			`exit 1`
			`fi`
WIP user cert 2024-02-12 11:05:40 +00:00			`check_pubkey`
WIP SSH CA 2024-02-12 05:54:18 +00:00			`case $TYPE in`
			`"user")`
			`user_cert`
			`;;`
			`"host")`
			`host_cert`
			`;;`
			`*)`
			`echo "unknown certificate type" >&2`
Fix options 2024-02-12 13:32:44 +00:00			`usage`
WIP SSH CA 2024-02-12 05:54:18 +00:00			`exit 1`
			`;;`
			`esac`